Rigo,
I like the idea of 'Controllability' especially when discussing what
seems like a serious privacy vulnerability. I definitely think that
the 'leakyness' of MAC addresses is a bad thing? Although, recent
headlines of Russian spies being caught in the US are due to MAC
address sniffing. http://www.bbcfocusmagazine.com/issue/ispy Which
illustrates that context and perspective seems to determine its
benefit or detriment.
In this regard maybe some more research and analysis of this issues is
warranted? What do you think about the idea of tracking the use of MAC
addresses and submitting a subject access request (or two) to
organisations that are storing MAC addresses?
The challenge (I propose) is to track institutional use of MAC address
to attempt to find the frequency and occurence of a MAC address in
databases. What these MAC addresses are being used for, their state
of storage and transmission. Etc.
With this research we could then look at stuff like 'Controllability'
across both technology and policy implementations.
Does this sound like an interesting approach?
Mark Lizar
(strawman) Subject Access Request
Dear (enter org)
We respectful request (informal) subject access to information
regarding the transmission of a MAC address and its technical
environment for research and personal purposes. As such we require:
a description of how MAC addresses are harvested and used;
the purposes for which they are being processed; and
the disclosees, or potential disclosees, of this personal data.
Do you provide notice of this activity to the MAC address owner? Do
provide notice of this activity at all?
Ask if org Informed of basic legal notice that is required to a data
subject (if appropriate)
Or/And Formally:
We would like to submit this request under section (what ever law)
(e.g. Data Protection Act. UK)
I understand that you collect and harvest this "xxxx" MAC address, is
this true? If (Y) then
Please present a log of this MAC address, its frequency in your
databases, and its use.
Please provide a list of all third parties this MAC address has been
shared with along with when this MAC address was shared with a 3rd
party.
Best Regards,
Signed The Inquiring Research/Data Subject.
*** Rinse and Repeat **
E.g. change the MAC address and query third parties in the same way
until the use of the MAC address is as mapped as possible.
On 9 Oct 2010, at 00:13, Rigo Wenning wrote:
> I think the trouble we are facing is that something is working
> different than
> the way we expect it to work. I still lack sufficient knowledge
> about the real
> bits, but I wanted to share my thoughts.
>
> I think we react (and that was also my reaction) because MAC-
> addresses are
> something useful in my local network. It helps me to do all kinds of
> things.
> But if some software is capable of blowing the boundaries of this
> local
> network, the MAC address turns into a uniqueID facilitating
> traceablility.
>
> Now while we have other expectations for MAC addresses, IPv6
> addresses are
> supposed to identify a device. So no need for a MAC address to do
> the tracing
> in a near future.
>
> But is this evil? Evil means that somebody has consciousness about a
> behaviour
> being rejected by society and still continues to do it. But I think
> somebody
> just tried to be useful so that they can provide your location
> history (and
> benefit from that at the same time)
>
> So what we should discuss here is the profound expectations and
> requirements
> we have for a democratic society concerning this unique identifiers.
> And there
> things like "controlabilty" come to my mind.
>
> To conclude, I think it is not without value to collect such cases
> and give
> some opinions that may even turn into some best practice in one way
> or the
> other.
>
> One way to do that may be the PLING wiki, where we collect already
> those
> enlightening cases. The challenge in this case is to describe the
> case as
> neutral as possible and keep the emotions of deceived expectations
> in a
> separate statement.
> http://www.w3.org/Policy/pling/wiki/InterestingCases
>
> Anyone willing to write this down?
>
> Best,
>
> Rigo
>
>
>
> On Tuesday, October 05, 2010 13:31:17 Thomas Roessler wrote:
>>> Bluetooth also uses Mac addresses. Maybe someone is harvesting
>>> those as
>>> well. You could probably track a person's movements by following
>>> sightings of their WiFi or Bluetooth. Ugh. I am effectively
>>> broadcasting "It's me, I'm nearby" all the time, to anyone who
>>> cares to
>>> listen.
>>>
>>>
>>>
>>> Can I have a tin-foil hat, please?
>>
>> And yes, it certainly is possible to use a geolocation provider to
>> harvest
>> this sort of information about users' machines. It's also possible
>> (to go
>> down the tin-foil route a bit further) to harvest this sort of
>> information
>> about nearby machines, e.g,. using malware.